Follow

Productive geekend! Set-up an ipv6 only server behind my residential router, address autoconfiguration and dynamic registration on a subdelegated name server and set up a Traefik edge application router serving a traditional nginx container.
Blabbeti blabbeti bu. Any other tech buzzwords i forgot? 😄

@loweel since you work in the telco sector, why mobile operators generally do not offer ipv6 connectivity but residential ISPs do?

@manux

I don’t fully agree on this, since many operators are using IPv6 on mobile. What I agree is that coming later, and what I agree is that, is being implemented quite slowly.

Anyhow, migration to IPv6 when it comes to mobile network is quite a long story.

The reason is: mostly hardware control. MEaning: in a broaband cable network , you have a CPE (you likely call it a “router” or a “modem”). So you have a given hardware, often certified to “work with your telco”, and you can implement a double stack quite easily. So what happens is:

your CPE does LCP, opens an “empty session” with the Service Edge of the BNG . It has a double stack.
the SE downloads your profile, which says you have IPv4 AND IPv6 and your CPE may support it.
PPPoE starts, you get your address, you are in some BGP pool, the LSR does BGP reflection , jadda jadda jadda, you are on the internet.

Now let’s go to mobile network.

your phone authenticates the SIM to the AUC. So far, no session is open.
once you are inside the network, the HLR knows you are there, and knows your EMEI and IMSI (“AKA” now for 5G) , so “in theory” should know about the capabilities of your phone. If it is branded.Otherwise, who says you can do ipv6 double stack successfully?
now you can start a MTP tunnel, and the next question is: which services are you allowed? Well, the pdpcontext is being created for you with list of features, and now the risk is that your phone cannot support IPv6 , or is not doing router solicitation, or it doesn’t understand router advertisement, or becames very, very insecure. By example you have a VPN on IPv4, but your IP leaks in IPV6. So you start now a ppp connection for IPv6, and your phone is naked. Not good.
according with how the pdpcontext is created, you need a SECOND APN in order to do that. Which means a second DNS request to check where to terminate the IPv6-related MTP tunnel, and where to terminate the IPv4 related MTP tunnel.

Lot of complexity here.

This is why, the few providers which are offering it, are ffering it just on tested models which are actually capable and safe:

https://telekomhilft.telekom.de/t5/Blog/Neuer-IPv6-Zugang-zum-mobilen-Internet-im-Netz-der-Telekom/ba-p/4254741

But the point is: how to standardize the behavior of mobile phones under IPv6, where you don’t control the phones, neither their os?

Well… just do XSLAT. This is a IPv6 to IPv4 translation, which allows you to be “full Ipv6” without your phone being aware of it.

https://blog.wirelessmoves.com/2020/02/ipv6-only-in-mobile-networks.html

XSLAT is the most used solution for cohexistence of IPv6 and IPv4 on the network, although Cisco has its offer and so and so.

@loweel wow, thank you for the detailed explanation. Very interesting.
Btw the reason why I am deploying ipv6 at home is that my ISP started giving my router private natted ipv4 addresses, but also a dynamic public /56 IPv6 network prefix that i can use to expose some of my home servers.
Very dangerous if not done properly, but also fun.

@manux

well… is not detail. Actually I cut off 75% of complexity. LOL.

the problem is, IPv6 has lot of feeatures like “privacy address” which can seem good at a first glance, but then….

Sometime ago I tried to SNAT the IPv6 ULA , and it worked. So you can also have private network if you are afraid.

@loweel I will look later into it, for the moment my home network is kept separated by another router with IPv6 disabled.

@manux

ULA addresses are the same thing as IPv4 “private” address , as a concept. They aren’t routed, you need to snat them. SO you can have back your security.

@loweel Indeed, but I have to be sure that the private addresses i set are the only ones the interfaces have. I am learning now how to keep the autoconfiguration "at bay". The last thing we want is an interface we suppose private, receiving a Router Advertisement and deciding autonomously to add a global address to the private one 😆😂

@manux

you need no ingress RA with ULA. They are assigned already. It’s zero-conf. Everything youn need is to have a small router (raspi) with 2 interfaces, then you do NOTHING and you leave ULA to take interfaces, and then you force one ULA address to your router and you describe it as priority router.

Sign in to participate in the conversation
OpenCloud Luxembourg Mastodon instance

A Mastodon instance for Luxembourg and beyond.